Skip to content

azurermSentinelThreatIntelligenceIndicator

Manages a Sentinel Threat Intelligence Indicator.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "east us",
    name: "example-rg",
  }
);
const azurermLogAnalyticsWorkspaceExample =
  new azurerm.logAnalyticsWorkspace.LogAnalyticsWorkspace(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "example-law",
    resource_group_name: azurermResourceGroupExample.name,
    retention_in_days: 30,
    sku: "PerGB2018",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLogAnalyticsWorkspaceExample.overrideLogicalId("example");
const azurermSentinelLogAnalyticsWorkspaceOnboardingExample =
  new azurerm.sentinelLogAnalyticsWorkspaceOnboarding.SentinelLogAnalyticsWorkspaceOnboarding(
    this,
    "example_3",
    {
      resource_group_name: azurermResourceGroupExample.name,
      workspace_name: azurermLogAnalyticsWorkspaceExample.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelLogAnalyticsWorkspaceOnboardingExample.overrideLogicalId(
  "example"
);
const azurermSentinelThreatIntelligenceIndicatorExample =
  new azurerm.sentinelThreatIntelligenceIndicator.SentinelThreatIntelligenceIndicator(
    this,
    "example_4",
    {
      depends_on: [
        "${azurerm_sentinel_log_analytics_workspace_onboarding.test}",
      ],
      display_name: "example-indicator",
      pattern: "http://example.com",
      pattern_type: "domain-name",
      source: "Microsoft Sentinel",
      validate_from_utc: "2022-12-14T16:00:00Z",
      workspace_id: azurermLogAnalyticsWorkspaceExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSentinelThreatIntelligenceIndicatorExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • displayName - (Required) The display name of the Threat Intelligence Indicator.

  • patternType - (Required) The type of pattern used by the Threat Intelligence Indicator. Possible values are domainName, file, ipv4Addr, ipv6Addr and url.

  • pattern - (Required) The pattern used by the Threat Intelligence Indicator. When patternType set to file, pattern must be specified with <hashName>:<value> format, such as md5:78Ecc5C05Cd8B79Af480Df2F8Fba0B9D.

  • source - (Required) Source of the Threat Intelligence Indicator.

  • validateFromUtc - (Required) The start of validate date in RFC3339.

  • workspaceId - (Required) The ID of the Log Analytics Workspace. Changing this forces a new Sentinel Threat Intelligence Indicator to be created.

  • confidence - (Optional) Confidence levels of the Threat Intelligence Indicator.

  • createdBy - (Optional) The creator of the Threat Intelligence Indicator.

  • description - (Optional) The description of the Threat Intelligence Indicator.

  • extension - (Optional) The extension config of the Threat Intelligence Indicator in JSON format.

  • externalReference - (Optional) One or more externalReference blocks as defined below.

  • granularMarking - (Optional) One or more granularMarking blocks as defined below.

  • killChainPhase - (Optional) One or more killChainPhase blocks as defined below.

  • tags - (Optional) Specifies a list of tags of the Threat Intelligence Indicator.

  • language - (Optional) The language of the Threat Intelligence Indicator.

  • modifiedBy - (Optional) The user or service principal who modified the Threat Intelligence Indicator.

  • objectMarkingRefs - (Optional) Specifies a list of Threat Intelligence marking references.

  • patternVersion - (Optional) The version of a Threat Intelligence entity.

  • revoked - (Optional) Whether the Threat Intelligence entity revoked.

  • threatTypes - (Optional) Specifies a list of threat types of this Threat Intelligence Indicator.

  • validateUntilUtc - (Optional) The end of validate date of the Threat Intelligence Indicator in RFC3339 format.

A externalReference block supports the following:

  • description - (Optional) The description of the external reference of the Threat Intelligence Indicator.

  • hashes - (Optional) The list of hashes of the external reference of the Threat Intelligence Indicator.

  • sourceName - (Optional) The source name of the external reference of the Threat Intelligence Indicator.

  • url - (Optional) The url of the external reference of the Threat Intelligence Indicator.

A granularMarking block supports the following:

  • language - (Optional) The language of granular marking of the Threat Intelligence Indicator.

  • markingRef - (Optional) The reference of the granular marking of the Threat Intelligence Indicator.

  • selectors - (Optional) A list of selectors of the granular marking of the Threat Intelligence Indicator.

A killChainPhase block supports the following:

  • name - (Optional) The name which should be used for the Lockheed Martin cyber kill chain phase.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Sentinel Threat Intelligence Indicator.

  • createdOn - The date of this Threat Intelligence Indicator created.

  • defanged - Whether the Threat Intelligence entity is defanged?

  • externalId - The external ID of the Threat Intelligence Indicator.

  • externalLastUpdatedTimeUtc - the External last updated time in UTC.

  • indicatorTypes - A list of indicator types of this Threat Intelligence Indicator.

  • lastUpdatedTimeUtc - The last updated time of the Threat Intelligence Indicator in UTC.

  • guid - The guid of this Sentinel Threat Intelligence Indicator.

  • parsedPattern - A parsedPattern block as defined below.

A parsedPattern block exports the following:

  • patternTypeKey - The type key of parsed pattern.

  • patternTypeValues - A patternTypeValues block as defined below.

A patternTypeValues block exports the following:

  • value - The value of the parsed pattern type.

  • valueType - The type of the value of the parsed pattern type value.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Sentinel Threat Intelligence Indicator.
  • read - (Defaults to 5 minutes) Used when retrieving the Sentinel Threat Intelligence Indicator.
  • update - (Defaults to 30 minutes) Used when updating the Sentinel Threat Intelligence Indicator.
  • delete - (Defaults to 30 minutes) Used when deleting the Sentinel Threat Intelligence Indicator.

Import

Sentinel Threat Intelligence Indicators can be imported using the resourceId, e.g.

terraform import azurerm_sentinel_threat_intelligence_indicator.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourcegroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/indicator1